Spanish Data Protection Authority has imposed a fine of 70,000 Euro to credit entity

In this case, both the representative (a lawyer in this case) and the represented were actual clients of the fined entity, in this sense, the bank stored the personal addresses of both individuals in the clients' files, delivering to the principal a copy of the claim filed by her lawyer, which mistakenly contained the lawyer's personal address and not the professional address that the lawyer had provided in the context of that claim; that personal address remained unknown to the principal until that date.

The AEPD considers the processing of the personal data (the lawyer's home address) for the purpose of handling the claim filed by this attorney on behalf of a third party (Bank's client) as a breach of the principle of purpose limitation, pursuant to art. 5.1.b) of the General Data Protection Regulation (hereinafter, GDPR), as it is observed that the banking institution processed the lawyer's personal data in a manner incompatible with the purpose for which it was collected, as a client of the bank.

The resolution of the AEPD analyses the scope of articles 32 and 83 of the GDPR, and recital 74 of the mentioned regulation, to determine whether or not the security of the data processing was complied with.

In this respect, the resolution warns that, although the regulation does not provide an exhaustive list of security measures applicable to each processing operation, it does provides the -gross- criteria to be taken into account by both the controller and the processor when defining the technical and organisational measures that should be appropriate to the risk involved in the processing, i.e. and commonly known: to consider the state of the art, costs of implementation and the nature, scope, context and purposes of processing, as well as to balance the risks of probability and severity for the rights and freedoms of the data subjects when establishing those measures; and that those measures are appropriate and proportionate to the risk identified, as well as the due verification, evaluation and effectiveness of those measures after an incident, in order to ensure the confidentiality, integrity and availability of those data. Nothing new at all.

The AEPD also analyses concepts such as "permanent implementation", "risk analysis" and "due diligence", finding that when the fined institution processed the lawyer's personal data stored in his client file to handle a third party's claim, thus revealing his personal address, it is clear that the banking institution did not adopt the appropriate technical and organisational measures to guarantee the security and confidentiality of the data, in non-compliance with art. 32 of the GDPR.

It is also concluded that there was a breach of the duty of integrity and confidentiality, provided for in art. 5.1.f) of the GDPR, as the bank was unable to prevent a leak of data not consented to by the data subject.

Finally, and once the graduation criteria have been applied by the AEPD, a fine of 25.000 Euro is imposed for the infringement of art. 5.1.b) of the GDPR, a fine of 20.000 Euro for the violation of art. 32 of the GDPR and a fine of 25.000 Euro for the violation of art. 5.1.f) of the GDPR, for a total of 70.000 Euro due to revealing the client´s personal address to another client of the same entity.​